Privacy Impact Assessments

Each as unique as your data

A privacy impact assessment (PIA) is one of the critical tools for being able to provide robust assurances to stakeholders and, quite frankly, to having a sense of control over personally sensitive information.

This is not a one size fits all exercise. A properly done PIA report will not only identify existing and potential risks to privacy in the project or program being reviewed, but will also provide recommendations that are contextually appropriate to your organization.

A good PIA will be based on the appropriate legislation (it's surprising how many provincial PIAs I've seen that refer to PIPEDA, instead of FIPPA, as the applicaple legislation for example), will clearly identify the data that is in scope of the assessment, and will build clearly demonstrable links between business processes, sensitive data, risks to that data, and recommendations to address the risks. If the assessments you have seen do not have these elements and these links you may not be entirely happy with the results.

John Wunderlich bases his assessments on each client's unique context and requirements. As a result each PIA does not apply a pre-built template that may or may not be appropriate, but is rather a living document built in collaboration with each stakeholder. This enables the organization to 'own' the assessment and its' remediation, rather than seeing it as an external imposition.